Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-22 22:11:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

[NTOS:MM] Do not map two pages into hyperspace in MiCopyFromUserPage. CORE-14548

Browse source 
Doing this is not only wrong because it acquires the same spinlock twice,
it also completely breaks the TLB flushing logic in MiMapPageInHyperSpace.
If the PTE with Offset 1 is still valid when a wrap-around to 0 happens,
the TLB flush on wrap-around will not clear the entry for this previous page.
After another loop around all hyperspace pages, page 1 is re-used but its
TLB entry has not been flushed, which may result into incorrect translation.
This commit is contained in:
Thomas Faber 2018-04-15 19:42:18 +02:00
parent ee8d82f29d
commit b54e5c689c
No known key found for this signature in database
GPG key ID: 076E7C3D44720826
2 changed files with 7 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ntoskrnl/include/internal/mm.h
View file

@ -757,8 +757,8 @@ MmAccessFault(
NTSTATUS
NTAPI
MiCopyFromUserPage(
PFN_NUMBER NewPage,
PFN_NUMBER OldPage
PFN_NUMBER DestPage,
const VOID *SrcAddress
);
/* process.c *****************************************************************/

12
ntoskrnl/mm/section.c
View file

@ -1040,23 +1040,21 @@ BOOLEAN MiIsPageFromCache(PMEMORY_AREA MemoryArea,
NTSTATUS
NTAPI
MiCopyFromUserPage(PFN_NUMBER DestPage, PFN_NUMBER SrcPage)
MiCopyFromUserPage(PFN_NUMBER DestPage, const VOID *SrcAddress)
{
PEPROCESS Process;
KIRQL Irql, Irql2;
PVOID DestAddress, SrcAddress;
KIRQL Irql;
PVOID DestAddress;
Process = PsGetCurrentProcess();
DestAddress = MiMapPageInHyperSpace(Process, DestPage, &Irql);
SrcAddress = MiMapPageInHyperSpace(Process, SrcPage, &Irql2);
if (DestAddress == NULL || SrcAddress == NULL)
if (DestAddress == NULL)
{
return(STATUS_NO_MEMORY);
}
ASSERT((ULONG_PTR)DestAddress % PAGE_SIZE == 0);
ASSERT((ULONG_PTR)SrcAddress % PAGE_SIZE == 0);
RtlCopyMemory(DestAddress, SrcAddress, PAGE_SIZE);
MiUnmapPageInHyperSpace(Process, SrcAddress, Irql2);
MiUnmapPageInHyperSpace(Process, DestAddress, Irql);
return(STATUS_SUCCESS);
}
@ -1781,7 +1779,7 @@ MmAccessFaultSectionView(PMMSUPPORT AddressSpace,
/*
* Copy the old page
*/
MiCopyFromUserPage(NewPage, OldPage);
NT_VERIFY(NT_SUCCESS(MiCopyFromUserPage(NewPage, PAddress)));
/*
* Unshare the old page.